开源项目

1、dsploit

https://github.com/jinglingshu1/dsploit

The most complete and advanced IT security professional toolkit on Android 。

2、python-spidermonkey

https://code.google.com/p/python-spidermonkey/

This Python module allows for the implementation of Javascript? classes, objects and functions in Python, as well as the evaluation and calling of Javascript scripts and functions. It borrows heavily from Claes Jacobssen’s Javascript Perl module, which in turn is based on Mozilla’s PerlConnect Perl binding.

This code was originally written by John J. Lee in 2003. After being unmaintained for a number of years, it was subsequently picked up by Atul Varma in 2008.

3、patator

https://code.google.com/p/patator/       python

Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.

Currently it supports the following modules:
 * ftp_login     : Brute-force FTP
 * ssh_login     : Brute-force SSH
 * telnet_login  : Brute-force Telnet
 * smtp_login    : Brute-force SMTP
 * smtp_vrfy     : Enumerate valid users using the SMTP VRFY command
 * smtp_rcpt     : Enumerate valid users using the SMTP RCPT TO command
 * finger_lookup : Enumerate valid users using Finger
 * http_fuzz     : Brute-force HTTP/HTTPS
 * pop_login     : Brute-force POP
 * pop_passd     : Brute-force poppassd (not POP3)
 * imap_login    : Brute-force IMAP
 * ldap_login    : Brute-force LDAP
 * smb_login     : Brute-force SMB
 * smb_lookupsid : Brute-force SMB SID-lookup
 * vmauthd_login : Brute-force VMware Authentication Daemon
 * mssql_login   : Brute-force MSSQL
 * oracle_login  : Brute-force Oracle
 * mysql_login   : Brute-force MySQL
 * mysql_query   : Brute-force MySQL queries
 * pgsql_login   : Brute-force PostgreSQL
 * vnc_login     : Brute-force VNC
 * dns_forward   : Brute-force DNS
 * dns_reverse   : Brute-force DNS (reverse lookup subnets)
 * snmp_login    : Brute-force SNMPv1/2 and SNMPv3
 * unzip_pass    : Brute-force the password of encrypted ZIP files
 * keystore_pass : Brute-force the password of Java keystore files

The name “Patator” comes from http://www.youtube.com/watch?v=xoBkBvnTTjo

Patator is NOT script-kiddie friendly, please read the README inside patator.py before reporting.

4、THC-Hydra

A very fast network logon cracker which support many different services. See feature sets and services coverage page – incl. a speed comparison against ncrack and medusa

Number one of the biggest security holes are passwords, as every password security study shows.
	Hydra is a parallized login cracker which supports numerous protocols to attack. New modules
	are easy to add, beside that, it is flexible and very fast.

        Hydra was tested to compile on Linux, Windows/Cygwin, Solaris 11, FreeBSD 8.1 and OSX, and
        is made available under GPLv3 with a special OpenSSL license expansion.

	Currently this tool supports:
	  Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST,
	  HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD,
	  HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle,
	  PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum,
	  SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

        For HTTP, POP3, IMAP and SMTP, several login mechanisms like plain and MD5 digest etc. are supported.

	This tool is a proof of concept code, to give researchers and security consultants the 
	possiblity to show how easy it would be to gain unauthorized access from remote to a system.

        The program is maintained by van Hauser and David Maciejak.

5、前卫音乐   http://www.qianwe.com

6、sqlcipher  https://github.com/sqlcipher/sqlcipher

7、shodan    https://developers.shodan.io/python/tutorial.html#installation

There is a new good search engine named SHODAN. SHODAN is described as “Google for Hackers.” It finds the systems in the world that don’t have proper secure mechanisms for authenticity and authorization. It can scan your home network to SCADA systems as well. It doesn’t matter because the interface is web-based or network-based. It has the ability to scan every system.

8、dnsrecon  python

https://github.com/darkoperator/dnsrecon

9、Taint-0.3.0(A XSS codes sniffer) released

Taint? An extension used for detecting XSS codes(tainted string), And also can be used to spot sql injection vulnerabilities, shell inject, etc.

from：http://www.laruence.com/2012/02/18/2560.html

10、xsscrapy    python编写的xss扫描程序    参考：http://huoding.com/2014/10/30/380
11、Beebeeto是由众多安全研究人员所共同维护的POC/EXP平台 http://beebeeto.com/

12、全球 IPv4 地址归属地数据库   （python、php版）http://tool.17mon.cn/ipdb.html

在线：http://freeipapi.17mon.cn/8.8.8.8

13、自动化渗透测试工具 – Heybe  （python）

http://www.freebuf.com/tools/50734.html     https://github.com/heybe/fener

14、https前端劫持与实现   http://www.jinglingshu.wiki/?p=9414

15、andriod伪基站检测开源代码  https://github.com/SecUpwN/Android-IMSI-Catcher-Detector

16、webshell管理工具 Altman  https://github.com/keepwn/Altman

16、安全大数据分析框架OpenSOC    https://github.com/OpenSOC/opensoc

17、https://github.com/smarttang/w3a_Scan_Console

18、Fast automated phishing attacks against WPA networks    wifiphisher

http://www.freebuf.com/tools/55754.html